Note: Where available, the PDF/Word icon below is provided to view the complete and fully formatted document
STANDING COMMITTEE ON LEGAL AND CONSTITUTIONAL AFFAIRS
01/03/2007
AusCheck Bill 2007

CHAIR —Welcome. The Office of the Privacy Commissioner has lodged a submission with the committee, which we have numbered 12. Do you need to make any amendments or alterations to that submission?

Mr Solomon —No.

CHAIR —Mr Solomon, I assume you will make an opening statement and then we will go to questions.

Mr Solomon —The Office of the Privacy Commissioner welcomes the opportunity to discuss its submission with the committee. The office supports the development and introduction of the AusCheck bill. We believe that providing a regulatory framework around this new centralised background checking service within the Attorney-General’s Department promotes transparency and accountability in government processes. We are particularly encouraged to see that a range of information management and protection measures have been included in the bill.

We are also encouraged that the department is undertaking a privacy impact assessment. Our office issued a guide in August last year to assist Commonwealth Government agencies who wished to undertake such assessments. We believe that undertaking this privacy impact assessment will assist the department to identify specific privacy impacts of personal information flows that will occur within the proposed AusCheck process and will enable the department to look at ways of reinforcing the positive privacy impacts of the process and managing or minimising any negative impacts. From an optimum privacy perspective, our office holds the view that the bill could be further enhanced with a few adjustments.

In our submission, we have acknowledged that the current bill seeks to regulate the purpose for which it will undertake background checks by requiring those purposes to either be enacted in primary legislation or through regulations under the bill. We welcome this approach while suggesting that an ideal privacy outcome would be to have each purpose enacted in primary legislation.

In our submission, the office has also commented on issues around collection, information to be assessed, retention of information and use and disclosure provisions. In relation to collection, we believe that section 13 could be aligned more appropriately with the information privacy principles in the Privacy Act if the collection of information was directly related to AusCheck’s purposes. If there is a specific reason for the current wording which requires the information to be only related rather than directly related perhaps the section could be modified to specify that reason.

In relation to information to be assessed for particular checking schemes, we believe that proposed section 5 could be modified to indicate that the information must be relevant to the risk associated with the particular background check that is being undertaken. In relation to retention of information we have suggested an additional section in the bill to require AusCheck to delete information that is not relevant to the background check for which it is being collected, used or disclosed.

Finally, in relation to use and disclosure of any information collected by AusCheck, our office has suggested that some additional information in section 14 about the agencies or organisations, or perhaps the types of agencies or organisations that information could be disclosed to would assist. I now welcome any questions from the committee.

CHAIR —Thank you, Mr Solomon. Ms Harris, you don’t wish to add anything at this point?

Ms Harris —No, thank you.

Senator LUDWIG —When you look at this bill, particularly the objects which go to provide a regulatory framework for coordinating and conducting certain criminal security and then it adds ‘and other background checking’. You look at the definition of background check and it says in prposed section 5(d) ‘Such other matters as are prescribed by the regulations’, you then look at part 2, proposed section 8, which establishes AusCheck scheme, and 8(1)(c) ‘for such other purposes as are prescribed by the regulations’. You then look at how the information might be safeguarded and you cannot find that either. They may as well have said ‘as such other regulations may prescribe’. Does that concern you as the Privacy Commissioner in terms of how that information might be gathered, stored and then destroyed if it is no longer necessary and whether it meets the privacy principles in terms of this bill? We do not have the regulations to see whether it does in terms of the operation.

Mr Solomon —It is not apparent that the AusCheck bill purports to make AusCheck exempt from the obligations under the information privacy principles and it is apparent from the Attorney-General’s second reading speech that AusCheck will operate in accordance with the provisions of the Privacy Act. Specifically as discussed in our submission, information privacy principle one relates to the manner and purpose of collection of personal information and requires agencies to limit the collection of personal information to where it is necessary for or directly related to a purpose that is directly related to the function of the collector. As mentioned in my opening statement, the office believes that section 13, which authorises the collection of information, could be aligned more appropriately with the IPPs if that collection of information was directly related to AusCheck’s purposes.

To further expand on your question in a wider view, our understanding of the bill is that it sets up a process within the Attorney-General’s Department that at the moment is in relation to ASICs and MSICs. It allows for that background checking to be pursued for other background check purposes at a later time, but they would have regulation around each of those processes, which would be in either primary legislation or regulations under this bill. So, apart from the issues that we have raised in our submission, I do not think at this stage the office feels there are any other outstanding major concerns.

Senator LUDWIG —Do you think people should be able to access that to find out what information is being held on the database, from a privacy perspective?

Mr Solomon —As I said, I believe that AusCheck is going to follow the obligations under the information privacy principles. We have nothing to say that that is not the case, so provisions that already exist under privacy legislation will apply.

Senator LUDWIG —Are you aware of who the consultants are that have undertaken the privacy impact assessment work?

Mr Solomon —We have been approached by the consultant for some initial discussions.

Senator LUDWIG —Are you able to say who the consultant is?

Mr Solomon —I do not think that I am at liberty to say. I think that would be the Attorney-General’s Department.

Senator LUDWIG —When you start at the objects then move through the definition and the way the purpose can be prescribed by regulation, it sets up, in my mind, a very wide scheme. It does not seem to be limited. It is now about ASIC and MSIC card, but it does not seem to rule out a whole framework of data collection from organisations ranging from criminal history checking through to criminal intelligence, through to security assessments—and what we do not know after that. Does the breadth concern you from a privacy perspective? In other words, once the government decides to put this in place, then this is the last time you will be asked to comment on this bill because the next way it will operate is by regulation. So, unless you are involved in the regulation, you will not see it again and it can be extended and extended into a whole range of areas. What I am asking you is: is the framework, in your view, too broad, just right or too narrow?

Mr Solomon —In my opening remarks I said that the ideal privacy outcome would be for each of the schemes that AusCheck undertakes to be initiated through primary legislation, but we are also mindful that this scheme is an advance. It puts in place some legislative oversight of each of the schemes that AusCheck will undertake so that there at least will be regulations for each of those schemes.

Senator KIRK —Following on from questions I was asking of the Law Council, I believe it is clause 5(d) which has the effect of potentially expanding the type of information that can be assessed in a background check. Your suggestion on page four of your submission is that that could benefit from being reference to the risk associated with particular appointment situations or other reasons the background check is being undertaken. I wonder if you could expand a bit upon that for us and how you would draft that. I am not suggesting that you have to draft the provision for me, but how would you formulate that in the legislation; what would be the nature of the amendment? Would it refer to, as it does here, the risk associated with the employment? Is that what you see is the best way to narrow the operation of the clause?

Mr Solomon —We have not looked at a form of words for amending or modifying the section, but we do propose that the regulation-making power be fettered by it being relevant to the particular background-checking scheme that that information will be collected for. I have not got a form of words, but I think that section could be fettered using some words to that effect.

Senator KIRK —I wonder if you might be able to take that on notice and come back to the committee with a form of words as to how you suggest that might be formulated? That will be helpful.

Mr Solomon —I will take it on notice and let you know what we can do.

Senator TROOD —Do I understand your position to be that the Privacy Act applies to the legislation and that, insofar as people have a right to access information about themselves through the Privacy Act, you are persuaded that that is sufficient protection in relation to this scheme?

Mr Solomon —Yes, the office’s position is that this scheme is within the Attorney-General’s Department. The Attorney-General’s Department is subject to the Information Privacy Principles and those principles allow for certain rights and responsibilities in relation to people’s personal information, so our position is that this scheme is subject to those principles and that is sufficient.

Senator TROOD —Could you explain to me the means by which those entitlements apply to this legislation? You say the privacy rules apply to the Attorney-General’s office but this is a general proposition you are putting. I am not quite clear how a person whose information might be on the database would necessarily get access to it by way of the provisions here, but you are saying they get access by virtue of the generic provisions that apply to any data held by the Attorney. Is that correct?

Mr Solomon —The privacy principles apply to most government agencies. They do apply to the Attorney-General’s Department.

Senator TROOD —I see.

Mr Solomon —The Office of the Privacy Commissioner does not want to create more inconsistency between or overlapping of principles, so it is important that the existing principles are allowed to apply; we understand that they do.

Senator TROOD —The Law Council makes the point that there is the need for a more specific provision about this, but you are not troubled by that. You do not think that is necessary?

Mr Solomon —I do not know if I can say it in any more words.

Senator TROOD —Okay. The point you make about deleting information—it seems to me to be rather difficult to delete information that is not relevant to the background check. How might one establish a set of principles that might be used to actually remove information? One gathers a body of information. Are you saying that a view will be formed on that body of information and then it would be appropriate to remove that information which was not relied upon for the position that was reached in relation to an individual? I am struggling to see how you easily separate or set up a legislative or regulatory scheme which would allow you to disaggregate the information in the way you propose in your submission.

Mr Solomon —I am not suggesting that operationally that would be an easy process. Our understanding is that some of the criminal history checks that are now undertaken do provide information across—they are unfettered—and that not all of that information may be relevant to the particular background check that is being undertaken. So our general position would be that that which is not relevant could be deleted; it would not need to be kept. I am not suggesting that operationally that is going to be an easy process.

Senator TROOD —I am sympathetic to the proposition you are putting, but I am interested in trying to determine how you would actually operationalise it, and that seems to me to be a challenge. Are there any legislative schemes of which you are aware that might provide some guidance to try to achieve that task?

Mr Solomon —I think that all government agencies struggle with trying to keep their databases accurate, relevant, up to date and those sorts of things under the privacy principles, and this would not be an easy challenge. I could take it on notice and let the committee know if we can suggest any similar schemes that would be appropriate.

Senator TROOD —If you could turn your mind to that, that would be helpful I think. Thank you.

CHAIR —Mr Solomon, was the Office of the Privacy Commissioner involved in any consultation process with the Attorney-General’s Department in the development of the legislation?

Mr Solomon —Yes, the office had some meetings in that development process.

CHAIR —Were they meetings—to the extent that you can tell the committee—of a formal consultation process on this particular piece of legislation or just in the general course of events?

Mr Solomon —We received some briefings during the development process.

CHAIR —So you were able to make some input as the bill was being drafted?

Mr Solomon —We feel we made some input as the bill was being drafted.

CHAIR —As there are no further questions, we thank you both very much for appearing this afternoon and thank you very much for the submission of the Office of the Privacy Commissioner.

[5.33 pm]